CVE-2024-40637: dbt has an implicit override for built-in materializations from installed packages
(updated )
What kind of vulnerability is it? Who is impacted?
When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt’s functionality. However, this also means that a malicious package could potentially override these components with harmful code.
References
- docs.getdbt.com/docs/build/packages
- docs.getdbt.com/reference/global-configs/legacy-behaviors
- github.com/advisories/GHSA-p3f3-5ccg-83xq
- github.com/dbt-labs/dbt-core
- github.com/dbt-labs/dbt-core/commit/3c82a0296d227cb1be295356df314c11716f4ff6
- github.com/dbt-labs/dbt-core/commit/87ac4deb00cc9fe334706e42a365903a1d581624
- github.com/dbt-labs/dbt-core/security/advisories/GHSA-p3f3-5ccg-83xq
- github.com/pypa/advisory-database/tree/main/vulns/dbt-core/PYSEC-2024-66.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-40637
- tempered.works/posts/2024/07/06/preventing-data-theft-with-gcp-service-controls
- www.elementary-data.com/post/are-dbt-packages-secure-the-answer-lies-in-your-dwh-policies
- www.equalexperts.com/blog/tech-focus/are-you-at-risk-from-this-critical-dbt-vulnerability
Detect and mitigate CVE-2024-40637 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →